Which of the following is most important to the success of an information security program?

Susan Dery

Susan Dery

None at None

Published Apr 23, 2015

Based on my experience implementing security in a major financial firm, I offer the following five critical factors for success.  These factors address more the “how” rather than the “what” of a security program - addressing whether or not your information security program is positioned for success.

1.  A good strategy based upon what is important for the business to protect, and that is part of the larger organizational risk management program.   Without the root of the program being driven by what is important to the organization, there is no effective way to design the security solutions or prioritize the activities and alerts generated from the solutions in place.   Attempting to protect everything in the same manner with the same level of attention is unrealistic because there is just too much to pay attention to.

2.  Organizational “where-with-all” to implement the solutions and changes necessary throughout the technology base.  Much attention is given to where the Chief Information Security Officer (CISO) organizationally reports, but what is most important is either the authority or the relationships to get things done within the organization.  Hardware and software asset management is but one example of a critical technical foundation for effective information security - technology infrastructure partners need to be on board.  Perhaps the best way to achieve organizational effectiveness is with a governance board made up with both business and technology senior leaders.  In this type of governance model, the CISO would make recommendations regarding non-standard or controversial issues, but the governance board would make decisions.   Such a governance model would place the burden of risk where it belongs, with the business.  It also provides a better opportunity for the CISO and her organization to be in the role of helpful partner rather than compliance officer.

3.  Sufficient resourcing based upon the strategy and associated program design decisions.  Technology in place without proper operational support and monitoring is not only a waste of money but potentially harmful to the organization.   Ongoing validation of program effectiveness is particularly important for information security because, generally speaking, unlike many other IT processes, there aren’t obvious signals that controls are not working.  Resourcing must include ongoing technical and process validation/testing, not just the resources to perform the tasks.  Outsourcing can be extremely helpful in obtaining necessary specific skills; however, you can’t outsource risk.   If sufficient resources are not available for the program design, redesign.

4.  Consistent with the strategy, a program design which is framework-based and that balances protective, detective, and responsive capabilities.  The program design requires optimization of the resources available.  This is not to suggest that the program utilize a framework to create a set of controls to ensure compliance.  Compliance does not equal security.    The frameworks and associated control listings should be utilized to ensure that controls are thorough and complete.   No one wants a wide-open back door neglected out of lack of due diligence.   Also, while ounce of prevention is still worth a pound of cure, having sufficient detection capabilities is critical as a persistent attacker will always penetrate your controls.

5.  Forward looking stance.  Since the pace of technology advancement continues to increase, both in general and certainly in the Information Security technologies, staying in front of the curve is critical.   You don’t want to be figuring out what to consider and how to secure new technology when the company is already in the process of purchasing that technology.  Also, keeping apace with the information security industry, will improve strategy planning and execution.

In considering the above, I suggest you ask yourself the following questions regarding your information security program:  Can you articulate the information security strategy for your organization?  Does that strategy focus on what is critical to protect; and is it part of the overall risk management strategy? Is the information security group effective in accomplishing it’s proposed solutions throughout the organization? Are they viewed as a partner in development activities and at the table when new technologies are considered?  Is there sufficient funding as well as skills and abilities for information security?  How do you know the security controls are complete, and are they periodically tested for effectiveness?  Are there sufficient protective controls well as the ability to detect and respond to successful attacks?

While the factors above don’t begin to address the question of what specific controls and technology be in place for your organization, without these success factors, even the best set of controls and technologies won't be successful in protecting your organization.